Mysteries of the Panama Papers

Just as the story of the “Panama Papers” was about to die out, we in the security community are treated to new data, some celebrities and a manifesto. The leaked data from the Mossack Fonseca breach is supposed to illuminate dark corners of international tax evaders, but the story has many mysteries around it still.

Why the change of plan?

On May 9th, the International Consortium of Investigative Journalists (ICIJ) put together a neat little web front-end onto a sample database of the breached Panama Papers data. This is interesting, because on a Reddit ask-me-anything (AMA) session just three weeks ago, the journalists said they weren’t going to release the data. The database they released contains only 320,000 of the 11.5 million leaked documents. This is enough for voyeurs to type in random celebrity names and start getting hits.

Is Hermione a tax dodger?

Emma Watson was outed for… owning a house in London. So was Simon Cowell. What makes these celebrities different from your average people is that they don’t want their houses owned in their own names, as that invites troubled fans to come visiting. For example, the late night host David Letterman had a schizophrenic stalker breaking into his house for years. So it is understandable that an A-list celebrity might want to own a property but not have their name attached to it. Does this mean Hermione is a tax dodger? What if there are other American Idol judges in the 11.2 million Panama Papers that weren’t released?

Who is John Doe?

The self-proclaimed hacker of Mossack Fonseca, who is using the pseudonym John Doe for now, released a cogent, well-written Manifesto decrying the legal profession and the press from following up on the corruption and tax-evasion that the Panama Papers purports to expose. If John Doe is who he suggests he is (an SJW hacktivist), then at least we can stop assuming that the whole stunt was performed by an insider, a rival legal firm, or the U.S. Department of Justice, which are some of the crazier rumors that have been going around.

Where was WikiLeaks?

John Doe claims that he contacted WikiLeaks several times about the Panama Papers but they never got back to him. This is interesting for two reasons. One, because it lets the air out of the ICIJ, who assumed that they were Doe’s first pick for publication, and second because yeah, why didn’t WikiLeaks jump all over this? Could it be that WikiLeaks was never really more than Julian Assange? Does his failure to respond signal that he’s lost interest in whistleblowing?

How did John Doe do it?

Three weeks ago, the hacker “Phineas Phisher,” who hacked the group HackingTeam, released a technical breakdown of how he or she hacked a group that shouldn’t have been hackable. It’s well worth reading to the expert and novice alike. Also, in the last two weeks we’ve been treated to the technical breakdown of the Bangladeshi heist, which apparently used custom malware to patch two Intel instructions to steal $81 million. Maybe we’re getting spoiled seeing the technical prowess of these hacks in the post-mortems. Of course, we in the Infosec community are curious about how John Doe got into Mossack Fonseca. But I bet it wasn’t hard for him.

Lawyers are notoriously stingy about spending budget on IT resources. I know this from being involved with customers in the legal profession. I’ve also dated a few lawyers, and they would sometimes discuss their firms’ IT problems. Typically, their stories would start out with the phrase “our poor IT guy.” Yep, one IT guy for an entire legal firm is pretty typical. And that one IT guy isn’t usually a security expert. A solutions architect I talked with recently said “If I wanted to wreck someone’s life, I might start by hacking their lawyer.”

How do you exfiltrate 2.6 terabytes of data?

According to the journalists at ICIJ it took over a year for John Doe to get all the data out. Of course, SQL injection (SQLi) is suspected for any large data dump, but SQLi is probably only part of the story. The fact that images, PDFs, and eleven million separate documents came out of it suggests a long-term occupation—or an APT if you want to get all TLA. So once John Doe got himself into Mossack Fonseca, he exfiltrated 2.6 terabytes of data out of their network. That’s a ton of data: the biggest known leak ever.

While we can tsk-tsk over the “shoddy security” of the legal profession, the dirty little secret is that most companies can’t control exfiltration very well, either. There are data loss prevention (DLP) devices on the market, but none of them can see inside encrypted connections. And because the world is moving to more encryption (thank you, Edward Snowden), these DLP devices are losing effectiveness every day.

Why aren’t there any U.S. companies in the Panama Papers?

Actually this one isn’t such a huge mystery. The U.S. is its own tax haven, and there are hundreds of legal firms that will help anyone set up an LLC or trust within the U.S. to protect assets.

I suspect that John Doe is a U.S. citizen, from reading his manifesto. He writes like an American and his manifesto makes more references to the U.S. than any other nation. If that is true, then there’s a little irony in that Panama Papers are exposing what already exists everywhere in John Doe’s own country. If he wants to, there are hundreds of American legal firms he could start hacking, and then we could read about American celebrities, who may be using shell companies to keep their names off of legal deeds.

David Holmes is an evangelist for F5 Networks' security solutions, with an emphasis on distributed denial of service attacks, cryptography and firewall technology. He has spoken at conferences such as RSA, InfoSec and Gartner Data Center. Holmes has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. Since joining F5 in 2001, Holmes has helped design system and core security features of F5's Traffic Management Operating System (TMOS). Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. With more than 20 years of experience in security and product engineering, Holmes has contributed to security-related open source software projects such as OpenSSL. Follow David Holmes on twitter @Dholmesf5.